PsExec.exe

UAC Bypass

Actors will attempt to spawn a remote or local CMD with SYSTEM level privileges to bypass UAC/Privilege escalation.

#Remote CMD
psexec -i -s \\marklap cmd
#Local CMD
psexec -i -s cmd

Execute Remote Commands

This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally:

psexec -i \\marklap ipconfig /all

If you omit a user name, the process will run in the context of your account on the remote system, but will not have access to network resources (because it is impersonating). Specify a valid user name in the Domain\User syntax if the remote process requires access to network resources or to run in a different account. Note that the password and command are encrypted in transit to the remote system.

Forensics:

PreviousSysInternals NextRMM

Last updated 6 months ago